Simplified method for renewing symmetrical keys in a digital network

ABSTRACT

The invention concerns a method implemented in a communication network comprising a source device including: a first symmetrical key for encrypting data to be transmitted to a display device connected to the network; and the first symmetrical key encrypted with a second symmetrical network key known only to at least one display device connected to the network. When the source device needs to renew its first symmetrical key to encrypt new data, it generates a random number, then it calculates a new symmetrical key based on the first symmetrical key and on the random number. It then encrypts the data to be transmitted with the new symmetrical key and transmits to a display device, via the network: the data encrypted with the new symmetrical key, the random number, and the first encrypted symmetrical key with the second symmetrical network key.

FIELD OF THE INVENTION

The present invention relates generally to the domain of managingcryptographic keys in local digital networks and more particularly indigital home networks.

BACKGROUND ART

Such a network is comprised of a set of devices interconnected by adigital bus, for example a bus according to the standard IEEE 1394. Itparticularly comprises two types of devices:

Source devices capable of sending data over the network: These devicescan recover the data through a “channel” external to the network.

Presentation devices adapted to receive the data circulating on thenetwork, to process it or present it to the user.

Hence, if the example of a digital home network designed to carry audioand/or video data to the various rooms of a house is used, the sourcedevices are for example digital decoders receiving video programs fromoutside the network via a satellite antenna or via a cable connection,or even optical disc drives broadcasting data (audio and/or video) indigital form, on the network, read from a disc (in this case, the disccontains data coming from outside the network). The presentation devicesare for example television receivers that can display video programsreceived from the network or, more generally, any type of device withthe capability of decrypting encrypted data.

If one considers the viewpoint of the content providers that supply datacoming from outside the local network, particularly from serviceproviders broadcasting Pay TV programs or even optical disc editors forexample, it is necessary to ensure that this transmitted data cannot becopied and can freely circulate (for example by being copied onto anoptical disc or any other recording support) from one local network toanother.

For this, it is known that data can be transmitted in secret form byencrypting it with cryptography algorithms using keys that are knownbeforehand by the devices authorised to receive this data or else thatare exchanged according to specific secure protocols between the contentprovider and these devices.

The patent application PCT WO 00/62505 in the name of THOMSONmultimedia, filed on Mar. 31, 2000 and claiming the priority of a Frenchpatent application in the name of the same applicant, filed on Apr. 13,1999 and published under the reference FR 2792482, relates to a homenetwork in which a public key specific to the network is used to encryptthe data circulating between the devices of the network, typically fromthe source devices mentioned above toward presentation devices. Only thepresentation devices of this network have the private key correspondingto the public key. The pair (public key, private key) being specific tothe network, data encrypted within the framework of this network cannotbe decrypted by the devices of another network.

The use of a pair of asymmetric keys has some advantages, but also a fewdisadvantages. One of the main advantages is that no secret is memorizedin the source devices: these devices know the public key but not theprivate key. However, the implementation of asymmetric keys isrelatively slow with respect to that of symmetric keys. Moreover, thelifetime of asymmetric keys is short, demanding a regular revocation andthe creation of new keys. In this case, data encrypted with a key, thenrecorded, can suddenly no longer be decrypted on the network. Inaddition, a large number of asymmetric keys are required.

The use of a symmetric key to encrypt the data would be considered asattractive. However, this would require the source devices to know thiskey, which would impose increased security constraints on them andconsequently make them more expensive.

The present invention aims to solve the above-mentioned problems.

SUMMARY OF THE INVENTION

The subject of the invention is a method for renewing a symmetric key ina communication network comprising a device of a first type containing:

a first symmetric key for encrypting the data to be transmitted to adevice of a second type connected to the network; and

said first symmetric key encrypted with a second symmetric network keyknown only by at least one device of a second type connected to saidnetwork.

According to the method, the device of a first type generates a randomnumber, then computes a new symmetric key as a function of the firstsymmetric key and the random number. It then encrypts the data totransmit with the new symmetric key then it transmits to a device of asecond type, via the network:

-   -   the data encrypted with the new symmetric key;    -   the random number; and    -   the first symmetric key encrypted with the second symmetric        network key.

The method can additionally comprise the steps that consist, for thedevice of a second type that receives the data transmitted by the deviceof a first type, of decrypting, with the second symmetric network key,the encryption of the first symmetric key; then to determine, accordingto the first symmetric key obtained in this manner and the random numberreceived, the new symmetric key; and to decrypt the data received withthe new symmetric key thus obtained.

BRIEF DESCRIPTION OF THE DRAWINGS

Other characteristics and advantages of the invention will emerge withthe description of non-restrictive particular embodiments, explainedusing the figures herein, among which:

FIG. 1 is a block diagram of a communication network connecting severaldevices in which the invention is implemented;

FIGS. 2 and 3 are timing diagrams illustrating the communicationsbetween an encrypted data source device and a presentation device of thesaid data in such a network according to an embodiment of the invention.

DETAILED DESCRIPTION OF THE EMBODIMENT OF THE INVENTION

An example of a communication network will be described initially toillustrate the manner in which the data and the different keys areexchanged. Subsequently, a more detailed description will be given ofthe specific management of the keys and their use for a securetransmission of data between a source device and a presentation device.

I] Description of the Network

FIG. 1 shows a digital home network comprising a source device 1, apresentation device 2 and a recording device 3 interconnected by adigital bus 4, which is for example a bus according to the standard IEEE1394.

The source device 1 comprises a digital decoder 10 featuring a smartcard reader fitted with a smart card 11. This decoder receives digitaldata, particularly audio/video programs broadcast by a service provider.

The presentation device 2 comprises a digital television receiver (DTV)20 featuring a smart card reader fitted with a smart card 21 and therecording device 3 is particularly a digital video recorder (DVCR).

The digital data that enters the network via the source device 1 isgenerally data scrambled by a content provider, for example according tothe principle of paying television. In this case, the data is scrambledusing control words CW that are themselves transmitted in the data flowin encrypted form using an encryption key K_(F) by being contained inECM (Entitlement Control Message) control messages. The encryption keyK_(F) is made available to users that have paid to receive the data,particularly by being stored in a smart card. In the example of FIG. 1,the smart card 11 contains such a key K_(F) together with a conditionalaccess module CA 14 capable of decrypting the control words CW.

However, it should be noted that frequently, the authorization toreceive the data is only temporary, as long as the user pays asubscription to the content provider. The key K_(F) is thereforemodified regularly by the content provider. Thanks to the method thatwill be described hereafter, the user will nevertheless be able torecord the programs broadcast while he is a subscriber and can replaythem as many times as he wishes on his own network, even when the keyK_(F) has been changed. However, as the data is recorded in scrambledform in the manner described, it can only be read on the network of theuser that recorded them.

The source device 1 that receives this scrambled digital data formats itso that it can be broadcast on the digital network in a protectionformat specific to the domestic network. The decoder 10 comprises an“ECM unit” module 13 that extracts, from the flow of data received, theECM messages containing the control words encrypted using the key K_(F)to send them to the CA module 14. This module decrypts the control wordsCW and transmits them to a converter module 12 also contained in thesmart card 11.

The converter module 12 contains a symmetric key K_(C), for which thegeneration and transmission between the devices of the network will bedescribed hereafter.

It should be noted that on FIG. 1, the network is shown in the state inwhich it is found when all the devices have been connected and haveexchanged cryptographic keys according to the methods describedhereafter. FIG. 1 particularly illustrates, for the source device 1 andpresentation device 2, all the keys contained in each device. The keysshown are not necessarily present at every moment in the devices.

In particular, the presentation device 2 comprises in a memory asymmetric network key K_(N.) This key is distributed to every newpresentation device recently connected to the network according to asecure protocol that is not the subject of the present invention andwill not be described in further detail. Moreover, each presentationdevice has a pair of asymmetric keys (K_(PUBT), K_(PRIT)), the first keybeing public and the second private. These keys are used within theframework of the authentication of network devices, as well as for theinitial exchange of the symmetric keys as we will show subsequently.

The converter module 12 uses the symmetric key K_(C) to encrypt thecontrol words CW and it inserts these encrypted control words intomessages called LECM (Local Entitlement Control Message). These LECMmessages have the same function as the ECM messages included in the dataflows received initially, namely transmit the control words in aprotected form, but in the LECM messages, the control words CW areencrypted using the symmetric key K_(C) instead of being encrypted usingthe key K_(F) of the content provider.

Preferably, the key K_(C) is frequently renewed, for example during theinitiation of each transmission of data, with the purpose of preventingthe source device from containing a long term secret, which wouldrequire increased protection.

Moreover, the converter module 12 inserts the symmetric key K_(C) itselfinto the LECM messages, but encrypted using another symmetric key K_(N)by an algorithm E2, that is E2{K_(N)}(K_(C)).

In the rest of the description, the notation “E{K}(M)” will be used tomean the encryption of data M by an algorithm E with a key K.

The key K_(N), which will be called network key hereafter, is notlocated in the source device 1, but in the presentation device 2.Following the creation of the key K_(C), this latter is transmitted in asecure manner to the presentation device 2, which encrypts it usingK_(N) and retransmits the result to the source device that memorizes itin the converter module 12 of its card, for subsequent use.

The LECM messages thus constructed are then sent to the ECM unit 13,which inserts them into the flow of data instead of the ECM messages. Itshould be noted that when the content received is not already inscrambled form as described above and does not contain any ECM message,the converter module 12 is responsible in this case for putting the datain this form so that the data flow broadcast on the bus 4 is always inthe form of data packets such as the packet 40 shown in FIG. 1containing an LECM message and scrambled data.

The content of this packet can be summarized as follows:

LECM | E4{CW}(<data>); i.e.:

E2{K_(N)}(K_(C)) | E3{K_(C)}(CW) | E4{CW}(<data>);

where “|” represents the concatenation operator.

The data therefore always circulates in scrambled form in the bus 4, andonly the devices with access to the symmetric key K_(C) can decrypt thecontrol words CW and therefore decrypt the data. These devices are thosehaving the network key K_(N). This therefore prevents any copy made inthe domestic network of FIG. 1 from being broadcast on other localnetworks.

When the digital television receiver 20 receives the data packets 40,they are transmitted to the “LECM unit” module 23, which extracts theLECM messages from them to be sent to a terminal module 22 contained inthe smart card 21. This card first decrypts E2{K_(N)}(K_(C)) using thekey K_(N) that it contains to obtain the key K_(C). Next, using the keyK_(C), it decrypts E3{K_(C)}(CW) to obtain the control word CW that ittransmits to the “LECM unit” module 23. It can then unscramble the dataE4{CW}(<data>) using the control word. The unscrambled data is thenpresented to the user. For video data, this data can be viewed on thetelevision receiver 20.

Thanks to the local digital network described above, the flow of datareceived from a content provider is converted by the source device whichreceives it in a data flow in which the data (or more specifically thecontrol words CW) is encrypted with a symmetric key K_(C). The key K_(C)is transmitted with the data encrypted with its help, being itselfencrypted using another symmetrical key, the network key K_(N). The flowof data circulating in the local network thus contains data having aformat specific to this local network that can only be decrypted by thepresentation devices of the local network which all contain the networkkey K_(N).

In addition, as the key K_(C) is broadcast with the data (in encryptedform), it can be recorded, for example by the digital video recorder(DVCR) 4, at the same time as the data, which will provide subsequentaccess to the encrypted data.

Moreover, as the network key K_(N) is not stored in the source devices,they do not contain any “long term” secret requiring increased securityprecautions.

However, the key K_(C) must be renewed frequently and a more detaileddescription will now be given of how this key K_(C) is generated and howits encryption using the network key K_(N) is obtained according todifferent variants.

II] Generation and Management of the Symmetric Key K_(C) During a FirstConnection to the Network of a Source Device

Suppose that the source device 1 has just been connected to the domesticnetwork illustrated in FIG. 1. Initially, it has no key in its convertermodule 12.

FIG. 2 shows the stages of an initial protocol enabling the sourcedevice to obtain a symmetric key K_(C) encrypted using the network keyK_(N) held by a presentation device of the network.

When a first stage 101, the source device 1 launches a request on thenetwork, requesting any presentation device to send its public key toit. In FIG. 1, a single presentation device is shown but naturally thedigital home network can comprise several different presentation devicesconnected to the bus 4. All the presentation devices present and in the“activated” status on the network (namely, those whose power supply isnot off or which are not in a standby mode with greatly reduced powersupplied to the circuits of the device) are supposed to respond to therequest of the source device by sending their public key.

Hereafter, it is assumed that the first key received by the sourcedevice 1 is the public key K_(PUBT) sent during step 102 by thepresentation device 2. The source device 1 acknowledges the firstmessage received and will then exchange messages with the relevantpresentation device.

The source device 1, and more precisely the converter module 12, thenrandomly generates a “short term” symmetric key K_(C) and it memorisesthis key K_(C) (step 103). For example, it uses a pseudo-random numbergenerator for the generation of K_(C).

The key K_(C) is then encrypted at step 104 with the public key K_(PUBT)by the intermediary of an asymmetric encryption algorithm E1, forexample the algorithm “RSA OAEP” (”Rivest, Shamir, Adleman OptimalAsymmetric Encryption Padding”—described in “PKCS#1: RSA CryptographySpecifications, version 2.0 (October 1998)”), then transmitted inencrypted form E1{K_(PUBT)}(K_(C)) to the presentation device 2 (step105). This presentation device decrypts the key K_(C) using its privatekey K_(PRIT) then encrypts it again according to a symmetric encryptionalgorithm E2 using the symmetric network key K_(N) (step 106) and sendsback K_(C) thus encrypted (i.e. E2{K_(N)}(K_(C))) to the source device(step 107), which memorizes this information (step 108), preferably inits converter module 12.

At the end of this first series of steps 101 to 108, the source device 1thus possesses a symmetric key K_(C) in its converter module 12 thatwill be able to be used to encrypt data, typically the control words CW,and the encryption of this key K_(C) using the network key K_(N). It isthen ready to broadcast data over the network. It should be noted thatthe source device does not know the secret network key K_(N).

The subsequent steps 109 to 113 shown in FIG. 2 relate to thetransmission of “useful” data, i.e. typically scrambled audio videodata.

The data received by the source device 1 comprises ECM messages. Thesource device decrypts these messages to extract the control words CWfrom them then it encrypts the control words CW using the symmetric keyK_(C) by the intermediary of a symmetric encryption algorithm E3 (step109). The source device 1 then reinserts these encrypted control words(i.e. E3{K_(C)}(CW)) into the data flow and transmits all the data overthe bus 4 to the presentation device(s) on the network (step 110).During step 110, the source device also sends the key K_(C) encryptedusing K_(N) that it previously memorized at step 108. In practice, thedata E2{K_(N)}(K_(C)) and E3{K_(C)}(CW) are inserted into the LECMmessage that is sent with the scrambled “useful” data E4{CW}(<Data>).

It should also be noted that the useful data transmitted at step 110 areencrypted according to a symmetric encryption algorithm E4 using controlwords CW.

The presentation device 2 that receives the data sent at step 110 firstdecrypts E2{K_(N)}(K_(C)) using K_(N) to obtain the key K_(C) which ismemorized (step 111) and, using K_(C), it can decrypt E3{K_(C)}(CW) toaccess the control words CW (step 112) and thus descramble the usefuldata (step 113).

The symmetric encryption algorithms E2, E3 and E4 can be identical ordifferent. For example, it is possible to use the “AES” algorithm(Advanced Encryption Standard—also called “Rijndael”—and described by J.Daemen and V. Rijmen in “Proceedings from the First Advanced EncryptionStandard Candidate Conference, National Institute of Standards andTechnology (NIST), August 1998”), or else the “TwoFish” algorithm(described in the article “TwoFish—a Block Encryption Algorithm” by B.Schneier, J. Kelsey, D. Whiting, D. Wagner, N. Ferguson and published inthe same NIST conference report).

III] Renewal of the Symmetric Key K_(C)

When it is necessary to renew the key K_(C), particularly beforebroadcasting new content on the network, one can consider using the sameprotocol as described in FIG. 2 (steps 101 to 108). Nevertheless, thisprotocol involves encryption computations using asymmetric algorithmsthat require a fairly large computing power and which are relativelylong to implement in smart card processors. This is why a secondprotocol is used for the renewal of the “short term” symmetric K_(C).

This second protocol enabling the renewal of the symmetric key K_(C) isshown in FIG. 5.

According to this protocol, during a first step 400, the source device 1(or more specifically its converter module 12) generates a random numberD and memorizes it. It then computes (step 401) the new symmetric keyK′_(C) by applying a function f to the key K_(C) memorized during thefirst protocol (at step 103) and to the number D. The function f isparticularly a classic derivation function such as a hash function (forexample, the function SHA-1 described in the document “Secure HashStandard, FIPS PUB 180-1, National Institute of Standard Technology,1995” can be used) or even an encryption function such as the functionXOR. It is a “one way” function”, namely, knowing the result f(K_(C), D)and the number D, it is impossible to find the key K_(C).

Step 402 corresponds to step 109 of the protocol of FIG. 2 and consistsof extracting ECM messages included in the data received by the sourcedevice to decrypt them in the module CA 14 and extract the control wordsCW from them in the converter module by using the new symmetric keyK′_(C). However, the broadcasting of “useful” data over the network bythe source device is slightly different from the broadcasting carriedout in step 110.

Indeed, in step 403, the source device inserts the data D generated instep 400 into the LECM message. It also inserts the following into thisLECM message:

the initial symmetric key K_(C) encrypted with the network key K_(N)(E2{K_(N)}(K_(C))) and

one or more control words CW encrypted with the new symmetric keyK′_(C)(E3{K′_(C)}(CW)).

When the presentation 2 receives the data broadcast in step 403, itfirst decrypts E2{K_(N)}(K_(C)) with the network key K_(N) (step 404),then it computes the new symmetric key K′_(C) from K_(C) and from D byapplying the function f (step 405). Having obtained K′_(C), it can thendecrypt E3{K′_(C)}(CW) to obtain the control word CW (step 406) andunscramble the “useful” data using this control word (step 407).

Thanks to this protocol, it is unnecessary to exchange data between asource device and a receiver device to obtain the renewal of a symmetrickey K′_(C). This is particularly advantageous for example when nopresentation device is in an “activated” status on the network and whena user wants to record a program (digital content) received by thesource device. The source device can thus renew its symmetric encryptionkey K_(C) without requiring any presentation device and can thusbroadcast useful data accompanied by LECM messages protected by this keyrenewed so that the data is recorded in a digital storage device such asthe video recorder 3 of FIG. 1.

1. Method for renewing a symmetric key in a communication networkcomprising a device of a first type containing: a first symmetric keyfor encrypting the data to be sent to a device of a second typeconnected to the network; and said first symmetric key encrypted with asecond symmetric network key known only by at least one device of asecond type connected to said network. the method comprising the stepsthat consist, for the device of a first type, in: (a) generating arandom number; (b) computing a new symmetric key as a function of thefirst symmetric key and said random number; (c) encrypting the data tobe transmitted with the new symmetric key; and (d) transmitting to adevice of a second type, via said network: the data encrypted with thenew symmetric key; the random number; and said first symmetric keyencrypted with the second symmetric network key.
 2. Method according toclaim 1, wherein the function used to compute the new symmetric key is aone-way derivation function.
 3. Method according to claim 2, wherein thefunction is a hash or encryption function.
 4. Method according to claim1, also comprising the steps consisting, for the device of a second typethat receives data transmitted at step (d), in: (e) decrypting, with thesecond symmetric network key, the encryption of the first symmetric key;(f) determining, based on the first symmetric key obtained at step (e)and on said random number, the new symmetric key; and (g) decrypting thedata received with the new symmetric key thus obtained.